storage: fix adb bugreport and refactor the existing rules
avc: denied { getattr } for comm="df" path="/mnt/vendor/persist" dev="sda15" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1
avc: denied { call } for comm="binder:10121_3" scontext=u:r:dumpstate:s0 tcontext=u:r:vold:s0 tclass=binder permissive=1
avc: denied { getattr } for comm="df" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1
avc: denied { getattr } for comm="df" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1
Bug: 361093041
Test: local build
Change-Id: I5c6be63beebf66d64db7e495c28493ab35621054
Signed-off-by: Randall Huang <huangrandall@google.com>
diff --git a/storage/sepolicy/dump_storage.te b/storage/sepolicy/dump_storage.te
index 5324c17..7a5f563 100644
--- a/storage/sepolicy/dump_storage.te
+++ b/storage/sepolicy/dump_storage.te
@@ -1,8 +1,11 @@
+# adb bugreport
pixel_bugreport(dump_storage)
+# adb bugreport
allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms;
allow dump_storage sysfs_scsi_devices_0000:file r_file_perms;
+# adb bugreport
userdebug_or_eng(`
allow dump_storage debugfs_f2fs:dir r_dir_perms;
allow dump_storage debugfs_f2fs:file r_file_perms;
@@ -17,7 +20,10 @@
allow dump_storage dump_storage_data_file:file create_file_perms;
')
+# adb bugreport
get_prop(dump_storage, boottime_public_prop)
+# adb bugreport
dontaudit dump_storage debugfs_f2fs:dir r_dir_perms;
dontaudit dump_storage debugfs_f2fs:file r_file_perms;
+
diff --git a/storage/sepolicy/dumpstate.te b/storage/sepolicy/dumpstate.te
index 2c01193..2220870 100644
--- a/storage/sepolicy/dumpstate.te
+++ b/storage/sepolicy/dumpstate.te
@@ -1 +1,7 @@
-allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
\ No newline at end of file
+# adb bugreport
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir { getattr };
+allow dumpstate modem_efs_file:dir { getattr };
+allow dumpstate modem_userdata_file:dir { getattr };
+allow dumpstate vold:binder { call };
+
diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te
index 464b4ce..92ff839 100644
--- a/storage/sepolicy/e2fs.te
+++ b/storage/sepolicy/e2fs.te
@@ -7,3 +7,4 @@
};
allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/fastbootd.te b/storage/sepolicy/fastbootd.te
index 35bac15..e571d0b 100644
--- a/storage/sepolicy/fastbootd.te
+++ b/storage/sepolicy/fastbootd.te
@@ -1 +1,3 @@
+# fastbootd
allow fastbootd devpts:chr_file rw_file_perms;
+
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index ed4f925..0fa9564 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -1,4 +1,6 @@
+# file.te
type debugfs_f2fs, debugfs_type, fs_type;
type dump_storage_data_file, file_type, data_file_type;
type sg_device, dev_type;
type sg_util_exec, exec_type, vendor_file_type, file_type;
+
diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te
index 88efb35..7369bb4 100644
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@@ -4,3 +4,4 @@
allow fsck modem_userdata_block_device:blk_file rw_file_perms;
allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/genfs_contexts b/storage/sepolicy/genfs_contexts
index 1a27ec4..69baae6 100644
--- a/storage/sepolicy/genfs_contexts
+++ b/storage/sepolicy/genfs_contexts
@@ -1 +1,3 @@
+# f2fs
genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0
+
diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te
index 58ec649..49bf50c 100644
--- a/storage/sepolicy/hal_health_default.te
+++ b/storage/sepolicy/hal_health_default.te
@@ -1,2 +1,3 @@
# dumpsys android.hardware.power.stats.IPowerStats/default
r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/hal_health_storage_default.te b/storage/sepolicy/hal_health_storage_default.te
index af6593a..20a3b7d 100644
--- a/storage/sepolicy/hal_health_storage_default.te
+++ b/storage/sepolicy/hal_health_storage_default.te
@@ -1,3 +1,4 @@
# Access to /sys/devices/platform/*ufs/*
allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
+
diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te
index 4d4dda7..edd286c 100644
--- a/storage/sepolicy/hal_power_stats_default.te
+++ b/storage/sepolicy/hal_power_stats_default.te
@@ -1,2 +1,3 @@
# dumpsys android.hardware.power.stats.IPowerStats/default
r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index 7070318..dc24247 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1 +1,3 @@
+# init
allow init sysfs_scsi_devices_0000:file w_file_perms;
+
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index da4fcba..f5f17e4 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -1 +1,3 @@
+# vendor_init
allow vendor_init sg_device:chr_file r_file_perms;
+
diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te
index 87387a7..529f495 100644
--- a/storage/sepolicy/vold.te
+++ b/storage/sepolicy/vold.te
@@ -5,9 +5,11 @@
allow vold userdata_exp_block_device:blk_file rw_file_perms;
allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD;
+# adb bugreport
dontaudit vold dumpstate:fifo_file rw_file_perms;
dontaudit vold dumpstate:fd use ;
# fix idle-maint
allow vold efs_block_device:blk_file { getattr };
allow vold modem_userdata_block_device:blk_file { getattr };
+